Pranav Hivarekar's Security Blog

REST-API Lover | Security Researcher | API Coder | Ambivert | GET /noob

Home     About      Favorite Books      Favorite Bugs     

Facebook's Bug - Fooling Graph Search to Bypass Privacy Restrictions & Extract Private Information

Description

I was able to fool Facebook's Graph Search and bypass privacy restrictions and extract sensitive information about user's applications and pages. I was able to get applications used by any user, regardless of privacy settings set to Only Me and also I was able to get Pages liked by user, regardless of privacy settings set to Only Me

For example, I was able to see applications used by Mark Zuckerberg despite of privacy settings set.

What is Facebook Graph Search and How it works?

Facebook Graph Search is SMART search tool developed by Facebook and Google developers who joined Facebook. It was an innovation as it allowed people to see what their Friends are doing. And these things aren't possible using traditional Google search.

eg. https://www.facebook.com/search/2015/date/photos/4/photos/intersect

Mark Zuckerberg photos from 2015" would return all the photos from 2015.

Some articles I read about Graph Search to understand it deeply. You can find many articles related to Graph Search on newyorker, newyorktimes, economist, etc.
1. http://www.newyorker.com/news/news-desk/facebook-and-the-future-of-search

This is simple working of Graph Search. But how it works internally ?

Graph Search Internal Working

Graph Search simply works on Set Theory. So, it is possible to fire queries which adhere to Set Theory and are successfully executed and make the search engine return result set back.

For eg, A = {1,2,3}
B = {2,3,7}

Then, Intersection = {2,3}
Union = {1,2,3,7}

This works same in Graph Search.

A similar bug found by "Philippe Harewood" ---> "Abusing Facebook Graph Search using GraphQL". This bug gave me initial idea. He has exploited Graph Search directly using GraphQL whereas, I tried to abuse it directly on website.

Proof Of Concept

Getting applications of any random user.

Intersection of two sets was handled properly and didn't show any private information using privacy Only Me or other.

eg. https://www.facebook.com/search/me/apps-used/100002065051535/apps-used/intersect

This takes common-set(intersection) of apps-used by me and apps-used by 100002065051535 and returns a result set.

Union of two sets exposed private data i.e bypassed privacy settings. Given an app's visibility is set to Only Me, was still returned in result set.

eg. https://www.facebook.com/search/me/apps-used/4/apps-used/union

This returned me few applications which were used by me or Mark Zuckerberg. I demonstrated this vulnerability on my test accounts.

Getting Pages liked by user.

On user profile, a user is allowed to like pages which are of categories Apps and games, Movies, Tv shows, Music, Books, Sports, etc. Now, these pages are sorted according to categories and are addressed as individual elements. Books, Music, Sports are different entities and each entity has an option of privacy; an user can select any privacy for any entity.
eg. I visited this page (https://www.facebook.com/pranavhivarekar.hacker/games?pnref=lhc) and it showed me all sections and I was able to set different privacy to different sections and individual elements.

So, here I was able to extract any user's personal information. It included Books he/she read, Movies he/she watched, etc. All the personal information was available via Graph Search, regardless of privacy settings.

To check whether a Tv show was liked by me. I used my another test account and fired the following query. My privacy settings for that page were set to Only Me.

Tv show : Taarak Mehta Ka ooltah Chashma

https://www.facebook.com/search/100002065051535/pages-liked/str/Taarak%20Mehta%20Ka%20ooltah%20Chashma/keywords_pages/union==

Graph Search

You can clearly see that Pranav Hivarekar likes this. Despite of privacy settings set to Only Me, it did got returned in search. I was able to do this for any random user on facebook.

Now, it is patched and it returns the following ...

Graph Search Patched

Special Thanks

I would like to thank Facebook Security Team to understand the bug and fix it. Also, all my friends for supporting me all over.

Timeline

Dec 1, 2015 - Report Sent
Dec 2, 2015 - Escalation by Facebook
Dec 2, 2015 - Additional information sent
Dec 5, 2015 - Additional information sent
Dec 13, 2015 - Pages Bug reported
Dec 16, 2015 - Asked for more information
Dec 18, 2015 - Additional information sent
Dec 18, 2015 - Asked for confirmation of fix
Dec 19, 2015 - More information sent to me by Facebook
Dec 20, 2015 - Not fixed confirmation by me
Jan 20, 2016 - Checked for updates
Jan 23, 2016 - Asked for confirmation of fix
Jan 23, 2016 - Not fixed confirmation by me
Feb 13, 2016 - Bug fixed
Feb 13, 2016 - Bounty awarded